Lucene search
K
CaddyserverCaddy

20 matches found

CVE
CVE
added 2023/10/10 12:0 a.m.5304 views

CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

7.5CVSS8AI score0.99999EPSS
In wild
CVE
CVE
added 2023/02/06 12:0 a.m.142 views

CVE-2022-28923

CVE-2022-28923 affects Caddy v2.4.6. The available sources describe an open redirect in the Caddy 2.4.6 open redirect vulnerability, where a crafted URL can redirect users to attacker-controlled sites, enabling phishing and potential data exposure. The practical impact is phishing-related credent...

6.1CVSS6.1AI score0.01431EPSS
CVE
CVE
added 2022/07/22 12:0 a.m.121 views

CVE-2022-34037

CVE-2022-34037 describes an out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go of Caddy v2.5.1 , enabling a potential Denial of Service via a crafted URI. The OpenSUSE and OSV entries in the connected documents confirm the issue and indicate that an update to a fi...

7.5CVSS7.2AI score0.00972EPSS
CVE
CVE
added 2022/06/02 12:0 a.m.103 views

CVE-2022-29718

CVE-2022-29718 affects Caddy v2.4 and is an open redirect vulnerability. An unauthenticated remote attacker can trick a user into clicking a crafted link, causing the user to be redirected to an arbitrary URL. Public references confirm the issue and indicate downstream fixes: openSUSE/SUSE backpo...

6.1CVSS6.1AI score0.00983EPSS
CVE
CVE
added 2020/06/15 4:50 p.m.97 views

CVE-2018-21246

Caddy before 0.10.13 mishandles TLS client authentication due to missing StrictHostMatching, enabling an authentication bypass. Affected product: Caddy web server; vulnerability in TLS client auth handling (authentication bypass). CVE-2018-21246 is documented in multiple sources (GHSA, OSV, NVD, ...

9.8CVSS9.6AI score0.02723EPSS
CVE
CVE
added 2026/02/24 4:28 p.m.94 views

CVE-2026-27588

Summary (CVE-2026-27588) Caddy (v2.x) vulnerability in the host matcher: when a large allowlist (>100 hosts) is configured, the MatchHost algorithm uses a fast path that enforces a case-sensitive comparison, which makes the host matching effectively case-sensitive and can bypass host-based rou...

9.1CVSS5.6AI score0.0037EPSS
CVE
CVE
added 2026/02/24 4:33 p.m.85 views

CVE-2026-27590

Caddy prior to 2.11.1 is affected. The FastCGI path-splitting logic lowercased the request path to compute a split index, then used that index on the original path; Unicode can change byte length after lowercasing, causing SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO misalignment. This path confusio...

9.8CVSS5.9AI score0.00542EPSS
CVE
CVE
added 2026/02/24 4:30 p.m.67 views

CVE-2026-27589

Summary: CVE-2026-27589 affects Caddy prior to 2.11.1. The local admin API (default at 127.0.0.1:2019) exposes a state-changing POST /load that can replace the running configuration. If origin enforcement is not enabled, the admin endpoint accepts cross-origin requests and applies an attacker-sup...

8.2CVSS5.4AI score0.00166EPSS
CVE
CVE
added 2018/11/10 7:0 p.m.57 views

CVE-2018-19148

CVE-2018-19148 affects Caddy up to 0.11.0. When a request’s Host header cannot be matched to any vhost, Caddy serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests with nonexistent hostnames enable enumeration of all certificates and relationships amon...

4.3CVSS4AI score0.00862EPSS
CVE
CVE
added 2023/12/10 12:0 a.m.46 views

CVE-2023-50463

The CVE-2023-50463 issue affects the caddy-geo-ip (GeoIP) middleware for Caddy 2 up to version 0.6.0. The vulnerability arises when trust_header X-Forwarded-For is used: an attacker can spoof their source IP address by manipulating X-Forwarded-For, potentially bypassing protection mechanisms such...

6.5CVSS6.3AI score0.00655EPSS
CVE
CVE
added 2026/06/23 5:56 p.m.43 views

CVE-2026-45135

CVE-2026-45135 (Caddy) describes two Unicode bypass flaws in the FastCGI splitPos logic (modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) that mis-use golang.org/x/text/search with IgnoreCase when a non-ASCII byte appears in the request path. This can cause a non-.php file to be treated as a sc...

8.1CVSS6.5AI score0.00399EPSS
CVE
CVE
added 2026/02/24 4:6 p.m.29 views

CVE-2026-27585

CVE-2026-27585 affects Caddy prior to 2.11.1 due to improper sanitization of backslashes in the file matcher’s path sanitization routine, which can bypass path-related security protections. The issue is fixed in version 2.11.1. Affected environment/configurations are specified as requiring cautio...

8.2CVSS5.4AI score0.00323EPSS
CVE
CVE
added 2026/06/23 5:47 p.m.28 views

CVE-2026-52846

Summary: CVE-2026-52846 affects Caddy's stripHTML template function, which cannot reliably strip certain malformed HTML (e.g., <img src=x onerror=alert()>). This can bypass tag-stripping and may enable client-side XSS when untrusted strings are rendered as HTML. The issue originates in func...

4.2CVSS5.8AI score0.00153EPSS
CVE
CVE
added 2026/03/07 4:28 p.m.24 views

CVE-2026-30852

Caddy 2.x versions are affected: from 2.7.5 up to 2.11.2 (inclusive of 2.7.5 through 2.11.1) have a vulnerability in vars_regexp where user-controlled input is double-expanded by the replacer. If a header like X-Input contains a placeholder such as {http.request.header.X-Input}, the header value ...

7.5CVSS5.7AI score0.00401EPSS
CVE
CVE
added 2026/02/24 4:8 p.m.22 views

CVE-2026-27586

Summary (CVE-2026-27586): Caddy prior to 2.11.1 has two swallowed errors in ClientAuthentication.provision() that cause mTLS client authentication to silently fail open when the CA certificate file is missing, unreadable, or malformed. The server starts and accepts client certs signed by any syst...

9.3CVSS5.5AI score0.00267EPSS
CVE
CVE
added 2026/06/23 5:55 p.m.21 views

CVE-2026-45692

CVE-2026-45692 (Caddy) describes a remote admin authorization bypass where the /config traversal layer and the authorization layer disagree on the target object. Specifically, from 2.4.0 through 2.11.3, an authorized path such as /config/apps/http/servers/srv/routes/0 could be used to access or m...

5.4CVSS5.8AI score0.00144EPSS
CVE
CVE
added 2026/02/24 4:26 p.m.17 views

CVE-2026-27587

The CVE describes a vulnerability in Caddy’s path matching: before version 2.11.1, the HTTP path matcher is intended to be case-insensitive, but when the pattern contains percent-escape sequences (%xx) it compares against the request’s EscapedPath without lowercasing. This can allow bypassing rou...

9.1CVSS5.5AI score0.0037EPSS
CVE
CVE
added 2026/06/23 5:52 p.m.16 views

CVE-2026-52845

Summary (CVE-2026-52845): Caddy 2.11.x contains a bypass in forward_auth copy_headers where, prior to 2.11.4, the exact client-supplied header was deleted but HTTP header names are later normalized to CGI variables, allowing an underscore alias to collide with a trusted header in FastCGI backends...

8.1CVSS5.9AI score0.00246EPSS
CVE
CVE
added 2026/06/23 5:50 p.m.14 views

CVE-2026-52844

CVE-2026-52844 describes a Windows-specific path handling bug in Caddy prior to 2.11.4 where path matchers do not normalize backslashes, causing a request like /private%5csecret.txt to bypass path-scoped auth and reach the protected file, e.g., /private/*, through file_server. The issue is exploi...

7.5CVSS5.9AI score0.00409EPSS
CVE
CVE
added 2026/03/07 4:28 p.m.13 views

CVE-2026-30851

CVE-2026-30851 (Caddy) affects Caddy server up to version 2.11.2. The issue is in forward_auth copy_headers, which fails to strip client-supplied headers, enabling identity injection and privilege escalation. This vulnerability is grounded in the component/behavior described across multiple sourc...

8.8CVSS5.7AI score0.00249EPSS